checkPrivileges({}, deniedPrivs);
}
-void AppInstallHelperExt::checkPrivilegeGroups(const PrivilegeVector &allowedPrivs) const
+void AppInstallHelperExt::checkGroupPrivileges(const PrivilegeVector &expectedPrivs) const
{
static PolicyConfiguration policy;
- const auto allowed_groups = policy.privToGroup(allowedPrivs);
- RUNNER_ASSERT_MSG(allowed_groups.size() == allowedPrivs.size(),
+
+ // get expected groups
+ auto expectedGids = policy.groupToGid(policy.privToGroup(expectedPrivs));
+ RUNNER_ASSERT_MSG(expectedGids.size() == expectedPrivs.size(),
"Some privileges given were not found in the policy");
+ std::sort(expectedGids.begin(), expectedGids.end());
- std::vector<gid_t> allowed_gids;
- for (const auto &groupName : allowed_groups) {
- errno = 0;
- struct group* grp = getgrnam(groupName.c_str());
- RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
- allowed_gids.push_back(grp->gr_gid);
- }
+ // get current process groups
+ int ret = getgroups(0, nullptr);
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
- checkGids(allowed_gids);
+ std::vector<gid_t> actualGids(ret);
+ ret = getgroups(ret, actualGids.data());
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
+
+ // remove groups unrelated to privileges
+ const auto allPrivGids = policy.getGid();
+ auto notPrivGid = [&](gid_t gid){
+ return std::find(allPrivGids.begin(), allPrivGids.end(), gid) == allPrivGids.end();
+ };
+ actualGids.erase(std::remove_if(actualGids.begin(), actualGids.end(), notPrivGid),
+ actualGids.end());
+ std::sort(actualGids.begin(), actualGids.end());
+
+ // expected but not allowed
+ std::vector<gid_t> notAllowedGids;
+ std::set_difference(expectedGids.begin(), expectedGids.end(),
+ actualGids.begin(), actualGids.end(),
+ std::back_inserter(notAllowedGids));
+
+ RUNNER_ASSERT_MSG(notAllowedGids.empty(),
+ notAllowedGids.size() << " expected groups were not assigned");
+
+ // allowed but not expected
+ std::vector<gid_t> notDeniedGids;
+ std::set_difference(actualGids.begin(), actualGids.end(),
+ expectedGids.begin(), expectedGids.end(),
+ std::back_inserter(notDeniedGids));
+
+ RUNNER_ASSERT_MSG(notDeniedGids.empty(),
+ notDeniedGids.size() << " unexpected groups were assigned");
}
void AppInstallHelperExt:: checkSmackPrivileges(const PrivilegeVector &allowedPrivs,
}
}
-void AppInstallHelperExt::checkGids(const std::vector<gid_t> &allowedGids) const
-{
- int ret;
- std::unordered_set<gid_t> referenceGids(allowedGids.begin(), allowedGids.end());
-
- // Reset supplementary groups
- ret = setgroups(0, NULL);
- RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
-
- Api::setProcessGroups(m_appName);
-
- ret = getgroups(0, nullptr);
- RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
-
- std::vector<gid_t> actualGids(ret);
- ret = getgroups(ret, actualGids.data());
- RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
-
- for (const auto &gid : actualGids) {
- RUNNER_ASSERT_MSG(referenceGids.count(gid) > 0,
- "Application shouldn't get access to group " << gid);
- referenceGids.erase(gid);
- }
-
- RUNNER_ASSERT_MSG(referenceGids.empty(), "Application didn't get access to some groups");
-}
-
} // namespace SecurityManagerTest
check_path(sharedRODir, getSharedROPathLabel());
}
-RUNNER_TEST(security_manager_02_app_install_uninstall_full)
+RUNNER_CHILD_TEST(security_manager_02_app_install_uninstall_full)
{
const PrivilegeVector defaultPrivs = {
PRIV_INTERNAL_AUDIO,
app.checkAfterInstall();
app.checkDeniedPrivileges(someDeniedPrivs);
- app.checkPrivilegeGroups(defaultAllowedPrivs);
+ {
+ ScopedAppLauncher launcher(app, [&]{ app.checkGroupPrivileges(defaultAllowedPrivs); });
+ }
check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
app.checkAfterUninstall();
}
+RUNNER_CHILD_TEST(security_manager_02a_set_process_groups)
+{
+ const PrivilegeVector defaultPrivs = {
+ PRIV_INTERNAL_AUDIO,
+ PRIV_INTERNAL_DISPLAY,
+ PRIV_INTERNAL_VIDEO,
+ };
+ const PrivilegeVector allowedPrivs = {PRIV_CAMERA, PRIV_MEDIASTORAGE};
+
+ auto defaultAllowedPrivs = defaultPrivs;
+ defaultAllowedPrivs.insert(defaultAllowedPrivs.end(), allowedPrivs.begin(), allowedPrivs.end());
+
+ AppInstallHelperExt app("sm_test_02a");
+ app.addPrivileges(allowedPrivs);
+ {
+ ScopedInstaller appInstall(app);
+
+ app.checkAfterInstall();
+
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+ if (pid != 0) {
+ waitPid(pid);
+ } else {
+ Api::setProcessGroups(app.getAppId());
+ app.checkGroupPrivileges(defaultAllowedPrivs);
+ exit(0);
+ }
+ }
+ app.checkAfterUninstall();
+}
+
RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
{
std::string expectedSockLabel = "labelExpectedOnlyFromSocket";